A recap of the RSA Conference touches everything from cloud security to cyber-war.

The 20th annual RSA Conference in San
Francisco came to a close Feb. 18, ending a week of product
announcements, keynotes and educational sessions that produced their share
of news. This year's hot topics: cloud computing and cyber-war.
The conference included a new session track about cloud computing, and the
topic was the subject of the keynote
by Art Coviello, executive vice president at EMC
and executive chairman of the company's RSA
security division. Virtualization and cloud computing have the power to
change the evolution of security dramatically in the years to come, he said.

"At this point, the IT industry believes in the potential of
virtualization and cloud computing," Coviello said. "IT organizations
are transforming their infrastructures. ... But in any of these transformations,
the goal is always the same for security-getting the right information to the
right people over a trusted infrastructure in a system that can be governed and
managed."

EMC's RSA
security division kicked the week off by announcing the Cloud Trust Authority,
a set of cloud-based services meant to facilitate secure and compliant
relationships between organizations and cloud service providers by enabling
visibility and control over identities and information. EMC
also announced the new EMC Cloud Advisory
Service with Cloud Optimizer.
In addition, the Cloud Security
Alliance (CSA) held the CSA Summit Feb. 14, featuring keynotes from Salesforce.com Chairman and CEO
Marc Benioff and U.S. Chief Information Officer Vivek
Kundra.
But the cloud was just one of several items touched on during the
conference. Cyber-war
and efforts to protect critical infrastructure companies were also
discussed repeatedly. In a panel conversation, former Department of
Homeland Security Secretary Michael Chertoff, security guru Bruce
Schneier, former National Security Agency Director John Michael McConnell
and James Lewis, director and senior fellow of the Center for Strategic and
International Studies' Technology and Public Policy Program, discussed the
murkiness of cyber-warfare discussions.
"We had a Cold War that allowed us to build a deterrence policy and
relationships with allies and so on, and we prevailed in that war,"
McConnell said. "But the idea is the nation debated the issue and made
some policy decisions through its elected representatives, and we got to the
right place. ... I would like to think we are an informed society, [and] with the
right debate, we can get to the right place, but if you look at our history, we
wait for a catastrophic event."
Part of the solution is partnerships
between the government and the private sector.
"One of the biggest issues you got-[and] unfortunately we haven't
made enough progress-we need better coordination across the government
agencies, and from the government agencies to the private sector,"
Symantec CEO Enrique Salem said. "I
think we still work too much in silos inside the government [and] work too much
in silos between the government and the private sector."
The purpose of such efforts is to target advanced
persistent threats (APTs).
"Part of the problem of when you define [advanced persistent threats],
it's not going to be like one single piece of software or platform; it's a
whole methodology for how bad guys attack the system," Bret Hartman, CTO
of EMC's RSA
security division, told eWEEK.
"They're going to use every zero-day attack they can throw at you,"
he explained. "They are going to use insider attacks; they're going to use
all kinds of things because they are motivated to take out whatever it is they
want."
The answer, Hartman said, is a next-generation Security Operations Center
(SOC) built on six elements: This vision includes six core elements: risk
planning; attack modeling; virtualized environments; automated, risk-based
systems; self-learning, predictive analysis; and continual improvement through
forensic analyses and community learning.
Preventing attacks also means building
more secure applications. In a conversation with eWEEK, Brad Arkin, Adobe
Systems' director of product security and privacy, discussed some of the ways
Adobe has tried to improve its own development process, and offered advice for
companies looking to do the same.
"The details of what you do with the product team are important, but if
you can't convince the product team they should care about security, then they
are not going to follow along with specifics," Arkin said. "So
achieving that buy-in to me is one of the most critical steps."